Tim

I want to create a user that ONLY has read privileges on Users. The logic is I want use ElevateDB's users but also to do my own logon dialog. I need a logon/password combo to allow me to read the users file so that I can make sure its a valid ID and display the user name before the password is entered and the database opened.

I tried creating a user in EDBManager and not granting any privileges. I tested access to the database and its tables, that was allowed as was inserting a row, deleting a row etc.

Looking at things I'm guessing a new user is given the role Public, but this isn't being properly tested in EDBManager.

I know I won't get exactly what I want, but what's the nearest I can achieve?

The logic by the way is that this the only password I want to code in clear in my app.

Roy Lambert

Hi Roy,

> Looking at things I'm guessing a new user is given the role Public, but
> this isn't being properly tested in EDBManager.

I can confirm from my own experience (using C/S setup) that new users are
given the Public role. I just revoke it and grant them my own role. I have 2
roles: one in the Configuration database (using grant / revoke statement)
and one mine database (which manages the rights in my app). The one in the
Configuration database is hand made as well.

> The logic by the way is that this the only password I want to code in
> clear in my app.

I use the Users table in the Configuration database (and therefore the
password build in ElevateDB) as well as my own users table, which ofcourse
has the same user name. So, the right to access the database (and my app) is
handled by ElevateDB and using the user name linked to the rights in my app
in a "My App Rights" table.

I don't show a list of users. They simply need to type that in by themselfs
(provides extra security) using my own login dialog and when the right
combination of username and password is accepted by ElevateDB than I read
from "My App Rights" table the others rights to setup what a user can or
can't do.

This is ofcourse all in a C/S setup, but should work using in fileserver
mode as well.

Best regards,
Fons

Fons


What you describe is pretty much what I want to do. I'm not going to be showing a list of users just that if they type in RL as user ID I like to display Roy Lambert before they enter the password and login.

Roy Lambert

Hi Roy,

> What you describe is pretty much what I want to do. I'm not going to be
> showing a list of users just that if they type in RL as user ID I like to
> display Roy Lambert before they enter the password and login.

Ahhh, I understand now. But why? I see no real benifits and it only makes
thing more complicated.

I guess one way of achieving this, is to login at startup of your app as an
administrator (all invisible to the user ofcourse) and get the list of ID's
and user names from the Users table and store it in a StringList or memory
table. That way you can lookup the ID and get the associated name when the
user enters the ID.

Maybe Tim knows  some (smarter) way of doing this.

Best regards,
Fons

Roy,

<< What you describe is pretty much what I want to do. I'm not going to be
showing a list of users just that if they type in RL as user ID I like to
display Roy Lambert before they enter the password and login. >>

I wouldn't do that - it's a security risk because it gives a hacker a
positive result when they get a valid user name.

--
Tim Young
Elevate Software
www.elevatesoft.com

Tim

>I wouldn't do that - it's a security risk because it gives a hacker a
>positive result when they get a valid user name.

Well, at least that gives me an out when I'm asked why I've changed things - its to improve security

Roy Lambert